GDPR is an EU law on data protection and the privacy for all individuals within the European Union.

It comes into effect 25th May 2018.

Simply put, GDPR makes that easier for you and I to manage our own personal data.

It also places greater responsibility on Data Controllers and Data Processors (such as this website).

I can hear some of you saying – this does not apply to me – I don’t live in the EU!

Perhaps so – but unlikely!

If you sell in to the EU or hold EU members data then the GDPR rules apply to you

What is more, it is only a matter of time before other jurisdictions implement similar regulations.

The range and implications of the General Data Protection Regulation (GDPR) is huge – far more than we can cover in a single blog post!

So, in this post, we concentrate on the main things bloggers need to do, in order to make their website and business GDPR Compliant.

Disclaimer: This blog post is for informational purposes only, and you should not consider it legal advice. We recommend that you seek legal and other professional counsel to determine exactly how the GDPR might apply to you.

Additionally: This is one of our longer posts and it is tempting to skim over the main topics. I would encourage you not to do that. The implications of getting GDPR wrong are just too serious, to neglect taking this topic seriously.

What This Website Is Doing to Become GDPR Compliant

A brief overview of just some of the things we are implementing right now. [there will be more to follow]

3. Add GDPR compliance link to footer of site where users can request data we have.

4. Add data protection policy to GDPR compliance page so users know what we do with data.

5. Email all current subscribers to reconfirm they want to be on our lists. Anyone who doesn’t confirm, will be removed from our lists.

6. Carry out a complete GDPR Audit – to identify what information we have, where it is stored, and what processes we have for data protection. (This includes confirming the safety of any data we transfer outside the EU to Data Processors)

GDPR, How To Get Your Website Ready

When it comes to GDPR and a typical blog these are the main areas to consider:

user registrations,

comments,

contact form entries,

analytics,

traffic logs,

security tools and plugins.

#1 GDPR and Getting Permission!

Personal Data is sometimes referred to as the new Oil or the new Gold.

Just ask Facebook!

Until recently many Facebook users felt they were the customer – but they are not.

Advertisers are Facebook’s customers. [Users are the product]

The news about Facebook and Cambridge Analytica plus other data breaches are changing the way people feel about their personal data.

Today’s new subscribers need to feel their personal data will be safe with you.

Not only that – but that we will respect the ‘permission’ they gave us to email them.

By permission – we mean that we will only email them in accordance with the authority they gave us when they subscribed.

If your subscriber requested a free report or video – that is all they get unless they also agreed in advance to receive more broader communications. (For example, promotions)

So often in the past bloggers and Information Marketers (including yours truly) have advertised a Lead Magnet but not explained that going forward you will also get further emails and offers.

GDPR is putting an end to that!

We, ourselves are adding check-box’s to all opt-in forms – similar to what you see in example below – from our friend and Small Business Lawyer Suzanne Dibble.

I am not a huge fan on the word consent and would suggest some better marketing speak, but it cannot be denied – the intention in Suzanne’s opt-in in clear!

In addition there is a link to the Privacy Policy.

Note: The Tick Box is not pre-ticked.

The GDPR specifically bans pre-ticked opt-in boxes.

It requires granular consent for distinct processing operations.

If you also use SMS or Mail you will need separate TICK BOXES for each method of contact.

You also need to tell subscribers about their right to withdraw, and offer them easy ways to withdraw consent (un-subscribe) at any time.

Not only that, individuals have the right to erasure – also known as right to be forgotten

I imagine (but not sure) that in Suzanne’s example, a subscriber could be sub-divided into those who will receive both free legal resources (blog posts etc) and promotions and those that receive free legal resources only – as they did not give consent to promotions.

For another example of Two Tick Boxes Opt-in checkout this Popup* from PopUp Domination

* Currently in Beta testing and available to PopUp Domination customers shortly.

Lead Magnets After 25th May 2018

Have you ever signed up for a FREE REPORT and then been bombarded with a series of unrelated emails or offers?

Or have we been guilty of doing this ourselves, with our subscribers?

For some of you GDPR will feel like bad news – but I want you to look at it differently.

Transparency is the key…

Do you really feel emailing a subscriber about something they did not ‘sign up’ to is good business?

If your opt-ins and forms are clear and transparent about their purpose you will perhaps get a few less subscribers but my prediction is that those who do subscribe will be more likely to do business with you.

Too many bloggers boast about their number of subscribers when what really matters is the number of active subscribers who actually open your email and read them!

Give me 10000 Active interested subscribers where 25% or more open every email over say 50000 subscribers where only 2% open my email!

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

In particular note this comment reference penalties for GDPR non-compliance:

Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Powers like that get my attention!

The above said – the general consensus seems to be that unless you are real rogue business, the GDPR Compliance Police just don’t have the resources to enforce every mistake or error just yet. The main point is that we must be able to demonstrate we are following best practice and quickly and efficiently making it easy for subscribers to unsubscribe / manage their personal data.

As much as anything at this stage, the regulatory approach seems to be focusing on training and education as it is on investigation.

Businesses that demonstrate respect for customer data are likely to reap big rewards.

In any case, we should be protecting users Personal Data not just because the law requires us to – but also because it’s the right thing to do.

#3 Your Privacy and Cookie Policy

If you have not done already, put a GDPR cookie policy on your website footer – GDPR has expanded Personal Data to include Cookies (when cookies can identify an individual it is personal data)

Likewise with a Privacy Policy.

Fortunately there are plenty of resources online that allow us to build our own Privacy and Cookie policies, including free options.

But I would encourage you to consider a paid for professional service when creating Privacy and Cookie policies.

Sometimes free is too expensive – especially when it comes to legal services!

Suzanne Dibble (already mentioned) provides an incredible GDPR Package for an inexpensive price, that not only covers Privacy and Cookies but 18 further Legal Template Documents & Checklists and Video Guides.

Plugins To Manage Cookies

Please don’t consider this a recommendation (I have heard both good and bad about Cookiebot) – but so far Cookiebot is one of the few plugins that allow you to do a number of variations on the Cookie Display notice.

In the example below – users are only committed to accepting Necessary Cookies.

This user has already un-ticked Marketing cookies, but if they wish, the user could also un-tick Preferences and Statistics.

This is the Ultimate in giving the website user control…

However, CookieBot also allows you to edit the cookie notice so that the user has to accept all cookies. [see below]

(or leave site)

=> Cookiebot allows users to click on “Show Details” and see a display of all the different cookies being used on the website.

=> Cookiebot is free for websites of less than 100 pages. (This includes: category pages, tag pages, site map etc – so reaching 100 pages on your website may be easier than you think)

WordPress Support For GDPR

It is understood that WordPress is planning to include GDPR support in core release 4.9.6.

This includes privacy policy generation from plugin provided data & also anonymizing comments. Release could be as early as May 2018.

#4 Get Existing Subscribers to Re-confirm their Subscription

In most instances your subscribers will need to reconfirm their subscription – unless you are one of those bloggers who have been very diligent in your sign-up process and can demonstrate that your systems at time your subscriber joined was GDPR Compliant.

This is upsetting Information Marketers.

I want you to look at it differently.

How many on your list actually care about your message – open your emails?

If only a small percentage of subscribers are opening your emails, I will put it to you, that your list in reality, is much smaller than you think.

The time has come for re-engagement and honesty.

If every email you send out is selling something and you are not offering real value, then your days as an Information Marketer are numbered.

Begin an Email re-engagement campaign

Go back to your roots and deliver more of that compelling info that your subscribers signed up for in the first place.

Perhaps your Lead Magnet is a little dated – re-do it and send it to your list (a bonus free gift with no intent accept to thank your subscriber for being a subscriber!)

Or do a Survey – find out why people subscribed in the first place?

What do they like best about your emails? What do they like least?

If you have any connection at all, some people will respond, giving you valuable info that will help you address their need and write more engaging content.

Even ask – why are you not opening my emails? (Use that as a Subject line to your un-opens)

You may be surprised at the answers

And don’t be afraid to have your subscribers un-subscribe if your message or material is no longer applicable for them. (Don’t take it personal)

Sometimes bloggers tell me they are afraid of emailing too often – and that is possible, but perhaps an even bigger risk, is you don’t email often enough.

I am told that most people on average get 88 emails per day (32,120 per year) – so think of it this way, if you only email once a month (12 times) how can you with that ‘competition’ hope to keep the relationship and connection going?

People really do forget they subscribed!

GDPR is acting as a wake-up call for bloggers and how they build relationships with their list.

That has got to be good!

Remember the 3 E’s – Educate, Entertain and Engage.

Finally – and before 25th May 2018 – email your list asking them to reconfirm their wish to receive email from you?

Give some serious thought to the message you wish to convey.

Explain the benefits your subscriber gets as a subscriber!

I have heard varying opinions on the following suggestion and it requires a degree of programing knowledge – but when it comes to that re-confirmation, give your subscriber two options:

Apparently with this option more people are likely to opt for YES – but of course you have got to get users to open your email in the first place.

To be clear, if your subscriber does not respond, you will need to remove that subscriber from your list.

This is not an exact example, but look how Sainsburys use this method when asking for contact permission.

Another example…

Here is a great example of both the ‘stay-connected’ email and the re-confirm form from BMW.

Note how they detail the benefits of re-confirming! Best still, I did not need to re-enter my email because their tracking system knows it is me at my email address, re-confirming.

Perhaps this will give you some inspiration.

#5 Personal data, Sensitive Data and Explicit Consent

Even though most bloggers and Information Marketers will not be handling Sensitive Personal Data it is important to note the differences and MORE IMPORTANTLY when explicit consent rather than unambiguous (implied) consent must be obtained.

Sensitive Data

With Sensitive Data you must always obtain explicit consent from the user.

Explicit consent requires a very clear and specific statement of consent.

Explicit consent must be obtained through a statement that should: “specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”. (Directive 95/46/EC, Article 29).

Simply stated: the data subject should quite literally and explicitly say “I consent” for consent to be considered explicit.

• Directly identifying information such as a person’s name, surname, phone numbers, etc.
• Pseudonymous data or non-directly identifying information, which does not allow the direct identification of users but allows the singling out of individual behaviors (for instance to serve the right ad to the right user at the right moment).

=> Consent should be given by a clear affirmative act – This could include ticking a box when visiting an internet website.

=> Silence, pre-ticked boxes or inactivity do not constitute consent. (Clicking a submit button is not acceptance of terms)

=> When the processing has multiple purposes, consent should be given for all of them. (Multiple Tick Boxes!)

#6 Google Analytics and GDPR

As bloggers and information marketers we love to measure – Traffic, Cost Of Sale, Conversions etc.

In an interesting move by Google – they have introduced granular data retention controls with Google Analytics.

GDPR – Frequently Asked Questions

At our sister site PopupDomination – we receive a lot of questions about GDPR and the implications for Opt-in forms and Pop-ups.

Unfortunately, there is a lot of erroneous information and confusion.

In these FAQ’s we address some of the most common questions…

a) With GDPR, do subscribers have to DOUBLE OPT-IN in order to join my list?

The short answer is NO.

However, as with many things – it depends.

If for example you have a Tick Box that users have to actively tick in order to subscribe and the consequences of subscribing are perfectly clear (i.e you have explained in detail what the user can expect) then a Double Opt-in is not absolutely necessary.

In addition your systems / data management must be able to demonstrate what the user actually signed up for, should there ever be a complaint.

Most web-forms and basic contact forms are processed under a legitimate interests basis and thus no explicit consent is required. [Unless you intend to use the data for anything other than what the user may expect]

Quote Requests can be considered contractual.

c) Is there a limit on how often I can email my subscribers?

There is no limit on how often you can email (but you must include an OPT OUT / UN-SUBSCRIBE)

d) I know I need to have my subscribers, re-confirm their subscription, but what if my subscribers do not respond or open my email?

With respect – in that case, you are better loosing that subscriber from your list. If like IncomeDiary you are spending significant sums on List Management each month, then at the very least, you will be saving some money!

If they do not respond, you will need to remove that subscriber from your list.

The only exception may be subscribers who live outside the EU – provided you can identify them!

e) My American Processor of Data tells me they are part of Privacy Shield and this makes them complaint with GDPR. Is it is safe for them to process my data?

Another short answer – YES

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. You can find out more about Privacy Shield here

f) Do I need a GDPR compliant data processing agreement? (DPA)

This is a big subject and we are not going into detail here – plus on many occasions the larger suppliers and handlers of your Data (Aweber, Google etc) will have already covered this in their agreements / terms of service.

But with smaller suppliers (for example your bookkeeper) you may need to have a DPA in place.

Where a data processor carries out any processing on behalf of a data controller, the data controller does not comply with the DPA unless there is a written contract between the two parties that includes, as a minimum, the following two clauses:

the data processor must only act on the data controller’s instructions

the data processor must use appropriate technical and organisational measures to prevent unauthorised or unlawful processing of the data, and accidental loss or damage to the data.